Data Retrieval over DNS in SQL Injection Attacks
Abstract
This paper describes an advanced SQL injection technique where DNS resolution process is exploited for retrieval of malicious SQL query results. Resulting DNS requests are intercepted by attackers themselves at the controlled remote name server extracting valuable data. Open source SQL injection tool sqlmap has been adjusted to automate this task. With modifications done, attackers are able to use this technique for fast and low profile data retrieval, especially in cases where other standard ones fail.
- Publication:
-
arXiv e-prints
- Pub Date:
- March 2013
- DOI:
- 10.48550/arXiv.1303.3047
- arXiv:
- arXiv:1303.3047
- Bibcode:
- 2013arXiv1303.3047S
- Keywords:
-
- Computer Science - Cryptography and Security;
- Computer Science - Databases;
- Computer Science - Networking and Internet Architecture
- E-Print:
- 7 pages, 3 figures, 1 table. Presented at PHDays 2012 security conference, Moscow, Russia